In the Linux kernel, the following vulnerability has been resolved:
mm: fix crashes from deferred split racing folio migration
Even on 6.10-rc6, I've been seeing elusive "Bad page state"s (often on
flags when freeing, yet the flags shown are not bad: PG_locked had been
set and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s from
deferred_split_scan()'s folio_put(), and a variety of other BUG and WARN
symptoms implying double free by deferred split and large folio migration.
6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when large
folio migration") was right to fix the memcg-dependent locking broken in
85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),
but missed a subtlety of deferred_split_scan(): it moves folios to its own
local list to work on them without split_queue_lock, during which time
folio->_deferred_list is not empty, but even the "right" lock does nothing
to secure the folio and the list it is on.
Fortunately, deferred_split_scan() is careful to use folio_try_get(): so
folio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()
while the old folio's reference count is temporarily frozen to 0 - adding
such a freeze in the !mapping case too (originally, folio lock and
unmapping and no swap cache left an anon folio unreachable, so no freezing
was needed there: but the deferred split queue offers a way to reach it).
References
Configurations
History
08 Aug 2024, 14:55
Type | Values Removed | Values Added |
---|---|---|
References | () https://git.kernel.org/stable/c/be9581ea8c058d81154251cb0695987098996cad - Patch | |
References | () https://git.kernel.org/stable/c/fc7facce686b64201dbf0b9614cc1d0bfad70010 - Patch | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.5 |
First Time |
Linux linux Kernel
Linux |
|
Summary |
|
|
CWE | CWE-415 | |
CPE | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
07 Aug 2024, 16:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-08-07 16:15
Updated : 2024-08-08 14:55
NVD link : CVE-2024-42234
Mitre link : CVE-2024-42234
CVE.ORG link : CVE-2024-42234
JSON object : View
Products Affected
linux
- linux_kernel
CWE
CWE-415
Double Free